In a recent episode of the GovCyberHub Podcast, we sat down with a small panel of cybersecurity experts to discuss the current cyber extortion threat facing government organizations, state and local agencies, and private enterprises.
What we learned is that cyber extortion isn’t just limited to ransomware attacks. Like the one that was launched against the Scottish Environment Protection Agency (SEPA) last month. Rather, the act of threatening government organizations with sophisticated cyberattacks in exchange for financial reward can be perpetrated with tools other than ransomware – where files and systems are encrypted and held for ransom. In fact, experts are increasingly seeing DDoS attacks – or the threat of DDoS attacks – being leveraged to extort money from organizations.
One of the most recent examples of DDoS as cyber extortion is an extortion campaign that experts have named, “Lazarus Bear Armada.” To learn more about this particular extortion campaign, how it’s using DDoS to extort funds, and what agencies can do to protect themselves, we recently spoke with Tom Bienkowski, a Product Marketing Director at NETSCOUT.
Here is what Tom told us:
GovCyberHub (GCH): What is Lazarus Bear Armada, other than a somewhat silly-sounding name?
Tom Bienkowski: Lazarus Bear Armada or “LBA,” is the name that NETSCOUT’s ATLAS Security Engineering and Research Team (ASERT) gave to a particular DDoS extortion campaign.
The reason they gave it this name was because, when the attacker sent an extortion note to their target, to add legitimacy, they would identify themself as being from one of three well-known Advanced Persistent Threat Groups (APTs) – Lazarus Group, Fancy Bear, and Armanda Collective.
GCH: In the case of Lazarus Bear Armada, what are the attackers looking to accomplish? What is their motivation for conducting these attacks?
Tom Bienkowski: As the name suggests, their motivation is financial gain via cyber extortion. When most people hear “cyber extortion,” they think of ransomware. That’s understandable, as there’s so much media attention around ransomware. And ransomware is – indeed – a type of cyber extortion where the attacker encrypts your data and holds it for ransom before giving you a key to decrypt.
With DDoS extortion, it’s more about the threat of a future attack.
As was the case with the Lazarus Bear Armada campaign, the attacker launches a smaller-sized DDoS attack. That attack coincides with an extortion note threatening to launch another, much larger and more sophisticated attack in the future unless a ransom is paid.
GCH: Where is this campaign coming from? What are its origins?
Tom Bienkowski: Because of the distributed nature of a DDoS attack, it’s always difficult to determine who’s behind these attacks or where the campaign is coming from. But, we do know who was being targeted.
Back in mid-August 2020, we started seeing DDoS extortion attacks targeting organizations in New Zealand and Australia. Over the next few months, the campaign quickly became global, spreading throughout Europe, the Middle East, Africa, the U.S., and Latin America.
GCH: Have there been any large companies or notable organizations that have been impacted by this campaign? Are there specific industries that they’re targeting?
Tom Bienkowski: Yes, besides being global in nature, these attacks have targeted specific industries. Initially, we saw the attacks targeting financial institutions, such as regional stock exchanges. They were also targeted at local Internet Service Providers.
As the attacks spread throughout the world, so did the industry targets. We began to see travel agencies, airlines, currency exchanges, insurance companies, healthcare organizations, energy companies, biotech firms, technology companies, and even retail organizations be targeted.
GCH: What tools and vectors are they using to conduct their attacks?
Tom Bienkowski: They only execute DDoS attacks. We have seen the attacker launch 50Gbps-300Gbps sized, multi-vector DDoS attacks, utilizing vectors that include:
- NTP, DNS, ARMS, SSDP, Memcached, CLDAP, and TCP reflection/amplification attacks.
- UDP/4500, UDP/500, HTTP/S request, spoofed SYN, TCP ACK, and GRE & ESP packet- flood attacks.
So far, none of the attack types are novel. Because of this, we believe the attacker is using an underground DDoS for hire service or DDoS attack tool.
GCH: What should government agencies and other organizations concerned about attacks and campaigns such as Lazarus Bear Armada do to protect themselves and their networks?
Tom Bienkowski: Be prepared. As mentioned previously, ransomware and DDoS are both forms of cyber extortion. But, there’s a major difference between the two if you are not prepared.
If you did not have a proper data backup/restoration or network segmentation plan in place, you have no choice but to pay the ransom, and there is still no guarantee the attacker will fulfill their end of the bargain and give you the decryption key.
On the other hand, with a DDoS extortion attack, you can control your destiny. There are many ways to stop a DDoS attack – even DDoS attacks as large or sophisticated as the ones this campaign is using.
You can use a managed DDoS service from your local ISP, or a managed security service provider. There are many products specialized for DDoS protection – with the exception of firewalls, which many IT professionals mistakenly assume offer DDoS protection. You can even use your network infrastructure – like your routers – to block DDoS attacks.
The bottom line is, if you’re prepared, you should never have to pay the attacker.
To learn more about the DDoS threat facing government organizations and state and local agencies, click HERE for a complimentary copy of NETSCOUT’s 1H 2020 Threat Intelligence Report.